Under the skin of our gadgets, how China’s tech dominance became a national security risk

Britain is living through a new kind of siege. It is quiet, distributed, and already inside our homes, hospitals, warehouses, and streets. Cyber attacks on essential services have surged, and while headline hacks grab attention, the more profound risk sits in the circuitry of everyday devices. Phones, cars, payment terminals, lifts, traffic systems, routers, even light switches. The threat is not one big door to kick down. It is a million small windows left ajar.

At the heart of this story is supply chain power. Over the past decade, Chinese manufacturers have come to dominate key layers of global communications hardware. That includes cellular Internet of Things modules, the tiny radios that let smart meters, alarms, medical devices, industrial sensors, and transport systems talk to mobile networks. These modules are cheap, prolific, and often invisible to buyers because they are embedded by the time a product reaches the shelf. When the connective tissue of the modern economy leans so heavily on a single geopolitical rival, risk compounds.

This risk is not theoretical. Botnets built from compromised connected devices have already been used to coordinate attacks at scale. The infection vector is usually mundane. Default passwords that were never changed. Abandoned firmware that never received an update. Components that are two steps removed from the brand on the box, so accountability blurs. When thousands of small devices can be herded at will, disruption becomes a dial that can be turned up at a moment’s notice.

The UK has been cautious about naming China as an adversary, and selective in its restrictions. Huawei’s role in 5G was curtailed, but the wider ecosystem of cameras, routers, access points, baseband modules, and system on chips has received less consistent scrutiny. The United States is moving faster. The Federal Communications Commission is closing loopholes that allowed previously authorised but insecure equipment to stay on shelves, and is expanding its covered list to block devices and components linked to foreign adversaries. The UK needs the same clarity. Piecemeal bans are not strategy. They are firefighting.

This is not an argument for isolation. China is a vital market and a scientific powerhouse. It is also a state that fuses industrial policy with intelligence objectives, and a supplier base that can undercut rivals on cost and scale. Both facts can be true. The task for Britain is to resolve the contradiction in policy that welcomes the parts while worrying about the intent. That starts with naming the risk and building practical guardrails that industry can follow.

The hidden layer that makes everything vulnerable

Most modern systems are stacks of stacks. A British retailer might buy a payment terminal from a European brand. Inside sits a board assembled in Southeast Asia. On that board sits a radio module made in China. In that module, the firmware that handles authentication and network handoffs may be closed source and rarely patched. The retailer will see a contract, a support phone number, and a glossy console. The attacker sees an ageing baseband, a shared default credential, and a fleet of thousands.

Cellular IoT modules, known as CIMs, are a special case because they extend the attack surface beyond local networks. They speak to mobile towers directly. A weakness here can bypass perimeter defences and zero trust policies further up the stack. Multiply that across smart meters, industrial controls, ambulances, and ticketing systems. You get the picture.

What a grown up UK response should look like

This is solvable, but it needs policy that matches the problem. Distributed risk needs distributed action, backed by clear national lines in the sand.

• Create a UK covered list, with teeth. Publish and maintain a list of suppliers and component classes that are barred from sensitive networks and public procurement. Include previously authorised models. Close the grandfathering loophole.

• Mandate a bill of materials for connected devices. Require a software and hardware SBOM for any device purchased by the public sector or deployed in critical national infrastructure. If you cannot name the module, you cannot deploy the device.

• Tie market access to update obligations. No automatic security updates, no sale. Vendors must commit to a minimum support window, publish end of support dates, and enable long term update channels for embedded components.

• Certify modules, not just finished products. Establish a UK assurance scheme for CIMs and other connectivity components. Test baseband firmware, crypto primitives, and secure boot. Make certification a procurement prerequisite.

• Expand the telecoms security framework beyond 5G. Extend risk assessments, auditing powers, and supply chain controls to routers, cameras, access points, IoT gateways, and cellular modules used by utilities, health, transport, and retail.

• Fund allied alternatives. Use targeted grants and procurement to grow domestic and allied suppliers of CIMs, secure routers, and industrial connectivity. Diversification is resilience. Cost parity will not happen by wishing for it.

• Enforce default secure baselines. Outlaw default passwords, require hardware backed identity, and mandate secure boot on any device that touches public networks. Make compliance testable at onboarding, not after a breach.

• Practice failure, then practice recovery. Run national tabletop exercises that assume mass device failure. Can hospitals run with degraded telemetry. Can supermarkets take payments offline. Can logistics reroute around dark sensors. Write the playbooks now.

What boards and operators should do today

Waiting for regulation is a luxury. If your revenue depends on connected devices, act on the parts you control.

• Inventory the invisible. Ask suppliers for an SBOM, identify radio modules, basebands, and management agents. Tag critical devices that connect over cellular networks.

• Patch the unpatchable by segmenting. If a device cannot receive updates, cordon it off, restrict egress, and monitor for anomalous patterns like sudden SMS spikes or unusual APN changes.

• Kill default credentials and shared keys. Rotate secrets at scale. Bind device identity to hardware where possible. Turn on mutual TLS. Disable unused services.

• Replace the worst offenders. Prioritise swap outs for devices with unknown provenance, no update path, or modules from suppliers on allied covered lists.

• Contract for outcomes, not logos. Bake security SLAs into purchasing. Require update cadence, vulnerability disclosure, and component transparency. Penalise failures.

Clarity beats ambiguity

Britain needs a frank debate that treats China as both competitor and strategic risk, and that recognises how power in a networked world is exercised through parts, standards, and maintenance windows. The goal is not to shut the door on global trade. It is to shut the windows that are currently open by default.

Screens will go blank again. The question is whether payroll runs, stock moves, traffic flows, and hospitals function while they do. That answer depends on choices we make now. Define the risk. Publish the list. Fund the alternatives. Demand transparency in the stack. Build drills that assume failure. Then, when the next botnet looks for purchase, it will find fewer footholds and less time to climb.

The time for hedged language has passed. Set the rules, and enforce them. Britain’s security depends on it.

Photo Credit: DepositPhotos.com